Checking Azure Active Directory Licensing

A prerequisite for being able to use classic TOTP hardware tokens is having  Azure Active Directory Premium P1 or P2 license activated. When choosing a hardware token model, it is important to know which Azure AD (Microsoft Entra ID) license you have. On this page, we will show how to confirm which Azure AD (Microsoft Entra ID) License is available for your tenant subscription.

Microsoft licensing, especially Azure Active Directory licensing, can be confusing for some businesses. As Microsoft continues to add various license options with different variations of the Azure AD (Microsoft Entra ID) licenses included or excluded, it is quite hard to tell whether an AD Premium license is available. For example, at the time of writing, Microsoft offers 2 different education packages, similarly named (both are A3), but one of them does not have the AD Premium option included (Office 365 Education A3), while another one (Microsoft 365 Education A3) has.

Checking Azure Active Directory Licensing


We used the Education subscriptions only as an example, the regular commercial subscriptions, as well as special and government packages may also have such discrepancies.
Follow the instructions below to check your Azure AD (Microsoft Entra ID) license type.

Method 1. Active Directory Admin Center

Navigate to https://aad.portal.azure.com/  and check the Overview section. If your tenant has a Premium license enabled, it will be mentioned in the Overview section. See the examples below:

Checking Azure Active Directory Licensing


Method 2. User Licenses

From Microsoft 365 Admin portal ( https://admin.microsoft.com/ ), navigate to Users section and select Active Users. Click on a user record, and from the right side, select Licenses and Apps . The Active Directory plan should be appearing under Apps, as shown on the example below:

Checking Azure Active Directory Licensing

If no Active Directory license is shown, then the user has no Azure AD (Microsoft Entra ID) Premium license assigned (and the classic tokens feature cannot be used for this user account).

Method 3. PowerShell

You can use Get-AzureADSubscribedSku commandlet to query the Azure AD (Microsoft Entra ID) license. The syntax and expected output are as follows:


PS C:\> Get-AzureADSubscribedSku

ObjectId                                                                  SkuPartNumber         PrepaidUnits                                                             ConsumedUnits
--------                                                                  -------------         ------------                                                             -------------
85b5ff1e-0402-400c-9e3c-0f9e965325d1_078d2b04-f1bd-4111-bbd4-b4b1b354cef4 AAD_PREMIUM           class LicenseUnitsDetail {... 
6
85b5ff1e-0402-400c-9e3c-0f9e965325d1_f245ecc8-75af-4f8e-b61f-27d8114de5f3 O365_BUSINESS_PREMIUM class LicenseUnitsDetail {... 
24


Once you checked whether you have Azure AD (Microsoft Entra ID) Premium license, you can purchase the most cost-effective classic tokens and leverage the centralized activation. If your Azure AD (Microsoft Entra ID) is Free or Basic, you can still use hardware tokens, but only the programmable ones and the enrollment is to be done from within the user context.

Please note that these license requirements only apply to Azure MFA methods; for Azure Passwordless (using FIDO2 keys), no additional license is needed.